I have 2 Solaris 10 systems that I'd like to do a P2V on for the moment, and
then at some point convert/rebuild them into native OpenSolaris as the products
I want to run on them are known to work.
The first system is a external facing firewall/NAT box that also serves WWW,
mySQL, DNS, etc.
The second system is connected to it via a cross over cable, has IP Filter
protecting it against any break-ins that might happen on the external box. It
runs SRSS, SGD, NFS, Samba, and acts as the router for the internal network to
the external FW/NAT box. (basically providing a 2 layer firewall protection
scheme for the internal network).
What I would like to do is take a single 8GB Q6600 system running 2008.11 and
xVM and virtualize these two onto it.
My biggest concern is the security of the externally facing system and it's
interface. Under xVM, can I completely dedicate a hardware NIC to an xVM
instance w/o plumbing any kind of IP address on the host?
Then in software, I would like to logically "tie" the internal facing interface
of the extnernal host, and the external facing interface of the internal host,
and run IP Filter on that interface to further protect the internal host.
This internal host might be another xVM instance, or it might be the host Open
Solaris instance. Is it possible to do that without using any physical NICs?
I would like to do this to save hardware, and for performance reasons.
Perhaps an ASCII picture might help....
Inet -->IPF A --> IPF B --> internal net
DNS SRSS
SQL SGD
WWW Samba
NFS
OtherApps
And basically make it look like
|----------------------|
| |
Inet ---|-->IPF A |
| Ve |
| | |
| | |
| IPF(v) |
| (Vi) |
| | |
| | B |
| C---| | |
| | | |
| |------------|----->Internal net
| |
|---------------------|
So now basically, A and B (Solaris 10) run inside C (Open Solaris 2008.11). C
now runs NFS, CIFS, with SGD and SRSS staying inside of B.
Ve is now a virtual internal facing interface of the externally exposed virtual
instance A. Vi would be the virtual external facing interface of the former
B. A stub virtual network with IPF running on C's Vi filtering traffic from
A's Ve.
C would now be the router from the Internal net to A's extnernal net, and B
would be in the same subnet as C's internal network.
Questions:
Can a hardware NIC act as a dedicated interface to A, and be tied directly to
the virtual instance of A, so that
no IP is plumbed in C, so there is no attack vector from outside forces
directly able to get to C?
Can a virtual interface be created between Virtual instance A and the host
network C and stick IPFilter into it to
act as a second layer of defense incase A is breached?
Thanks for any thoughts. (I hope this isn't tooo confusing...)
--
This message posted from opensolaris.org
_______________________________________________
xen-discuss mailing list
[email protected]
